An IDS for Detecting Misbehavior Nodes in Optimized Link State Routing Protocol

8/13/2019 An IDS for Detecting Misbehavior Nodes in Optimized Link State Routing Protocol

http://slidepdf.com/reader/full/an-ids-for-detecting-misbehavior-nodes-in-optimized-link-state-routing-protocol 1/5

International Journal of Advanced Computer Science, Vol. 1, No. 2, Pp. 87-91, Aug. 2011.

Manuscript Received:20, Aug., 2011

Revised:4, Sep., 2011

Accepted:5, Sep., 2011

Published:

15, Sep., 2011

Keywords

IDS,OLSR, MANETs

Abstract Several approaches have been

proposed for Intrusion Detection Systems

(IDS) in Mobile Ad hoc Networks (MANETs).

Due to lack of MANETs infrastructure and

well defined perimeter MANETs are

susceptible to a variety of attacker types. To

develop a strong security scheme it is

necessary to understand how malicious nodes

can attack the MANETs. Focusing on the

Optimized Link State Routing (OLSR)

protocol an IDS mechanism to accuratelydetect misbehavior node(s) in OLSR protocol

based on End-to-End (E2E) communication

between the source and the destination is

proposed.

The simulation results showed that the

proposed mechanism is able to detect any

number of attackers while keeping a

reasonably low overhead in terms of network

traffic.

1. Introduction

Wireless Mobile Ad-hoc Networks (MANETs) areexpected to play a very important role in many types ofapplications. Such as military exercises, disaster relief,

community wireless and mine site operations. MANETs are

consisted of a collection of mobile nodes interconnected by

wireless links without any fixed infrastructure. Due to lack

of MANETs infrastructure and well defined perimeter,

MANETs are susceptible to a variety of attacker types.

Providing effective security for MANETs has become one

of the main challenges for researchers.At present, the Internet Engineering Task Force (IETF)

Mobile Ad hoc Networks Working Group has standardized

five routing protocols: Ad hoc On-Demand Distance Vector

(AODV)[1], Dynamic Source Routing (DSR)[2], OptimizedLink State Routing (OLSR)[3][4], Topology Dissemination

Based on Reverse-Path Forwarding (TBRPF)[5] and

Dynamic MANET On-demand (DYMO)[6].

The Optimized Link State Routing (OLSR) protocol offers

Ahmed Mohamed Abdalla PAAET, Kuwait

Imane Aly Saroit Cairo University

Amira Kotb Cairo University

Ali Hassan Afsari Kuwait University

([email protected]

[email protected]

[email protected]

[email protected])

promising performance in terms of bandwidth, required

overhead, and delivered traffic.In this paper, we present an intrusion detection system to

accurately detect misbehavior node(s) in OLSR protocol

based on End-to-End (E2E) communication between the

source and the destination. The proposed mechanism is ableto detect different attack types that could occur along the

source-destination path by utilizing special messages.

Although analysis is focused on OLSR protocol, the

proposed solution is applicable to other routing protocolsfor MANETs.

The rest of this paper is organized as follows. Section II

presented the background review for the OLSR protocol.

Section III presents the IDS overview and related works thatare important for the understanding of the material to follow.

Section IV presents the proposed contribution. The

simulation results and discussion presented in section V.

Finally, conclusions drawn from the paper and future workare given in section VI.

2. The Optimized Link State

Routing (OLSR) Protocol

OLSR is the table driven, proactive routing protocol

designed for mobile ad-hoc networks. It exchanges routing

information periodically and has route immediatelyavailable when needed. The OLSR protocol achieves

optimization by determining for each node of the network a

minimal subset of neighbors, called Multi Point Relays

(MPR) which are able to reach all 2-hop neighbors of the

node. Generally two types of routing messages are used a

HELLO message and a Topology Control (TC) message

[3-4].

1) HELLO message is periodically broadcasted by eachnode and contains the sender's identity and three lists:

- List of neighbors from which control traffic has been

heard.

- List of neighbors with which bi-directionality hasalready confirmed.

- List of MPR set of originator node.

HELLO messages are exchanged locally by neighbor

nodes and are not forwarded further to other nodes.

HELLO message is used for neighbor sensing and also

for selection of MPRs nodes.

2) TC messages are also emitted periodically by MPR

nodes. TC message contains the list of the sender's MPR

selector set. In OLSR, only MPR nodes are responsiblefor forwarding TC messages. Upon receiving TC

messages from all of the MPR nodes, each node can

An IDS for Detecting Misbehavior Nodes in Optimized

Link State Routing ProtocolAhmed Mohamed Abdalla, Imane Aly Saroit, Amira Kotb, & Ali Hassan Afsari




International Journal Publishers Group (IJPG) ©

88

learn the partial network topology and can build a route

to every node in the network. This message is used for

route calculation.

The OLSR operation can be summarized as follows:

1- Neighbor sensing: To achieve that each node broadcasts to its 1-hop neighbors HELLO messages

periodically.

2- MPR selection : There are two types of sets

• MPR set this set of selected neighbor nodes for

each node from its 1-hop neighbors. When a node

sends a routing message, only the nodes that are in

its MPR set forward this message.

• MPR selector set. Each node also maintains

information about the set of neighbors that selected

it as MPR which is called MPR selector set.

3- Topology Diffusion: Nodes that were selected as MPR

must send TC messages to construct routing table. TC

messages are flooded in the network and only MPRsare allowed to forward TC messages. Each node in

OLSR protocol has two tasks: Correctly generate the routing protocol control

traffic

Correctly relay the routing protocol control traffic

on behalf of other nodes.

3. IDS Overview and Related

Works

Intrusion detection is defined as the method to identify“any set of actions that attempt to compromise the integrity,

confidentiality, or availability of a resource”.

For Mobile Ad hoc Networks, the general function of an

IDS is detecting misbehaviors by observing the networks

traffic in a Mobile Ad hoc [7]. Most of recent researches

focused on providing preventive schemes to secure routing

in MANETs [8-12]. Key distribution and establishes a line

of defense defined in [8], [9] is based on mechanism for in

which nodes are either trusted or not and if trusted they are

not compromised. Also contribution in [10], [12] considers

the compromise of trusted nodes. It is assumed that a public

key infrastructure (PKI) and timestamp algorithm are in

place. However, the above approaches cannot preventattacks from node who own a legitimate key.

It is necessary to understand how malicious nodes canattack the MANETs. A model to address the Black Hole

Search problem algorithm and the number of agents that are

necessary to locate the black hole without the knowledge of

incoming link Developed in [13]. Watchdog and path-rater

discussed in [14] but it is noticed that it increases the

percentage of overhead significantly with the percentage

increase of misbehavior nodes. Ex-watchdog [15]

suggests modifying the previous system to decrease of percentage of overhead.

[16] Introduces IDS which formulate the problem of

distributed collaborative defense against coordinated attacksas a dynamic game problem. The same group extends theirwork in [17] by proposing detection schemes that are

suitable to detect in-band wormhole attacks. The first

detection scheme uses the Sequential Probability Ratio Test

(SPRT)[18]. The SPRT has been proven to be an optimal

detection test when the probability distributions of both

normal and abnormal behaviors are given.

A feedback mechanism to secure OLSR against the linkspoofing attacks was provided in [19], [20] the solution

assesses the integrity of control messages by correlating

local routing data with additional feedback messages called

CPM sent by the receivers of the control messages.

Another formal approach to harden the MPR selection and

thwart the attacks against OLSR suggested in [21]. This

approach validates the routing table and the topology

information using trust based reasoning. Hence, each node

can verify the validity of the received HELLO and TC

messages simply by correlating the information provided by

these messages. A technique to detect the attack by

discussing a collusion attack model against the OLSR

protocol was presented in [22].

4. Proposed Mechanism For

Detecting Misbehavior Nodes

The misbehavior node detection process that we propose

validates the communication path and detects misbehavior

nodes in the invalid paths. The successfully detected

misbehavior node is added to a black-list then the attacker is

excluded from the routing table.

OLSR security vulnerabilities can be summarized in[19]:

• Identity Spoofing

• Link spoofing

• Traffic relay/generation refusal.

• Replay attacks

• Wormhole

In this study, we are focusing only on traffic

relay/generation refusal where the malicious node acts as a black-hole and drops packets. We introduced two types of

attackers. The type-1 attacker drops all the received packets.

The type-2 attacker is smarter and drops only data packets

and exchanges control packets normally.We extend the security of OLSR in two parts. The first

part validates the communication path by sending periodicmessages. The second part is concern about finding

malicious node in the invalid path.

The process starts by sending Path Validation Messages

(PVM) periodically to the destination at a specified interval,

as shown in Fig. 1 and algorithm 1

Fig. 1 PVM process

The destination node is required to acknowledge back to the

source with a reply-PVM to verify the validity of path along



Abdalla et al .: An IDS for Detecting Misbehavior Nodes in Optimized Link State Routing Protocol 89


which the data packets are transmitted. If the PVM fails to

reach back the source node before sending the next PVM, as

shown in Fig. 2, then the source node

Fig. 2 Attacker drops data packet

Increments the number of failed PVM. N failed PVMs

mean there is a problem in the path and the source node

triggers the attacker search process. The process starts bysending Attacker Finder Message AFM to each node in the

path to destination. Each intermediate node that receives

AFM is required to do:

• Reply back to the source node with a message(AFM b) that contains information about the

hop count and the next-node-to-destination

(NNTD).

• Send AFM to the destination through NNTD.

The source node waits for acknowledgment from the

intermediate nodes for a certain time. It updates the

potential attacker information the NNTD informationreceived from each AFM b received within the waiting time.

Once the wait passes the last NNTD stored at the source is

considered the attacker. This process is illustrated in Fig. 3.

Fig. 3 AFM process with type-1 attacker

If all the nodes along the path replied back to the source

with AFM b then the source starts the 2nd

process of theattacker search. This time the source sends to each node in

the path a PVM and waits for a period of time. If the

intermediate node replied back before the waiting interval,

the source sends PVM to the next intermediate node in the path. This process is repeated till the destination. If a node

fails to reply within the waiting time then it is considered

the attacker and added to the black-list. This attacker is

considered of type-2 where it was dropping the data packets

(PVM) but not the control packets (AFM).

Fig. 4 AFM process with type-2 attacker (AFM b is forwarded to S throughthe intermediate nodes but the arrows are directly connected to S for

illustration only)

An extra step is added to ensure the type-1 attacker is

correctly detected. A PVM is sent to the attacker and if itreplied back to the source then it is considered a false

detection and removed from the black-list consequently.

ALGORITHM 1 PVM PROCESSING

1 Source Send PVM to Destination as Data packets2 Increment PVM counter

3 If PVM counter > 3 then

4 Start AFM algorithm

5 End if

6 if receiver node = destination then

7 Send PVM b back to source

8 Else

9 Forward PVMf

10 End if

11 If receiver node = source then

12 Reset PVM counter

13 End if

ALGORITHM 2 AFM PROCESSING

1 Source sends AFMf to Destination and starts a waiting time2 If receiver node = destination then

3 Send AFMb back to source

4 Else

5 Forward AFMf to destination

6 Send AFMb back to Source with information about

next-node-to-destination(NNTD) and availability of routeto destination in the routing table

7 End if

8 If Source received AFMb came from Destination then

9 No attacker detected, start advanced detection

10 Cancel AFM wait timer

11 Send PVM to each node in path to D

12 If Source receive PVM from intermediate node then

13 Node is trusted

14 Else

15 Malicious node of type-2 is detected.

16 Add to blacklist table and end AFM process

17 End if

18 Else

19 Last NNTD known by S is suspected as type-1 attacker

20 Send PVM to NNTD

If PVM received then

21 NNTD is a trusted node

22 Else

23 NNTD is confirmed as an attacker

24 End if

25 End if





90

5. Simulation Results and

Discussions

The simulation results presented in this paper were

performed using the network simulator ns2 version 2.31[23]

with modified version of the UM-OLSR [24]implementation version 0.8.8 of OLSR. The OLSR protocol

implementation follows RFC 3626. The simulation

scenarios consisted of 30 wireless nodes over an area

1500mX300m for duration of 900 seconds. We selected a

rectangular shape area to have good node scattering and

collaboration.

The PVM messages were sent at a rate of 5% from the total

data messages. We started with no attacker then added 1,

2, and 3 attackers with each simulation.

The main objective was to successfully detect the attackers.

Table 1 shows that source nodes 13, 19, and 28 were able to

detect the attackers successfully when present in the path

Fig. 5 Overhead vs. # of attackers

Figure 5 shows the overhead of our proposed algorithm

with respect to the total OLSR control packets. The figure

above shows that when there is no attacker on the networkthe percentage of overhead is nearly 12% which is due to

that PVM packets are not dropped. Once an attacker is

introduced in the network the percentage of overhead is

reduced linearly with the increased number of attackers.Also the figure shows that smart attackers (attacker Type-2)

produce overhead that is slightly larger than normal attacker

(attacker Type-1) which can be contributed to the extra

process done by the type-2 process to send AFM and PVM

packets.

Fig. 6 Dropped Packets vs. # of attackers

Figure 6 shows the relation between percentages of dropped

packets versus number of attackers. We conclude from this

figure that percentage of the dropped data packets is small

with no attacker as packets are not dropped intentionally. As

the attacker is introduced in the network the number ofdropped packet increases proportionally with the increase of

the attackers. The figure above also shows that smart

attacker (attacker Type-2) drops less packets compared to

type-1 because smart attacker drops only PVM packets and

forwards AFM packets normally.

6. Conclusions and future works

We have presented an IDS mechanism based on

End-to-End connection for securing the OLSR protocol.

Our mechanism can detect many types of misbehavior

node(s) through the path between the source and thedestination then a blacklist of misbehavior nodes is created.

The simulation results showed that our mechanism able to

detect any number of attackers while keeping a reasonably

low overhead in terms of network traffic.

What we achieved so far is allocating misbehavior activityin the network and detecting the attacking node. We are not

expecting improvement in performance at this stage as the

first task was to detect the misbehavior node. We expect

better results once an action is taken to isolate misbehavior

nodes by utilizing the blacklist created.

Our future work will be focused on how to eliminate the

misbehavior node(s) from the path between source and

destination by selecting another path which does not containany misbehavior nodes.

TABLE 1LIST ATTACKERS DETECTED IN THE PATH

detector path attacker

28 28.12.23.26.26.23.0 12

28 28.1.14.0 14

28 28.21.5.0 21

19 19.16.9.12.0 12

19 19.7.14.23.0 14

19 19.21.13.0 2113 13.21.4.0 21



Abdalla et al .: An IDS for Detecting Misbehavior Nodes in Optimized Link State Routing Protocol 91


References

[1] C. Perkins, E. Belding-Royer, & S. Das, “Ad hoc On-demandDistance Vector (AODV) Routing,” (July 2003) IETF RFC3561.

[2] D. B. Johnson, D. A. Maltz, & Y-C. Hu, “The DynamicSource Routing Protocol for Mobile Ad Hoc Networks

(DSR),” (April 2003) IETF Internet Draft , draft-ietf-manet-dsr-09.

[3] T. Clausen, P. Jacquet, A. Laouati, P. Minet, P. Muhltahler, A.Qayyum, & L. Viennot, “Optimized Link State Routing

Protocol,” (2003) IETF RFC 3626 .

[4] http://www.olsr.org[5] R. Ogier, M. Lewis, & F. Templin, “Topology Dissemination

Based on Reverse-Path Forwarding (TBRPF),” (March 2003) IETF Internet Draft , draft-ietfmanet- tbrpf-07.txt.

[6] I. Chakeres & C. Perkins, “Dynamic MANET On-demand(DYMO) routing,”

http://www.ietf.org/internet-drafts/draft-ietf-manet-dymo-08.txt, March 2007.

[7] A. Fourati, & K. Al Aghha "An IDS First Line of defense for

Ad Hoc Networks", (2007) in Proceeding of IEEE WCNC.[8] Y-C. Hu, A. Perrig, and D. B. Johnson, “Ariadne: A secure

On-Demand Routing Protocol for Ad hoc Networks,” (2002)

in Proceedings of the MobiCom, Atlanta, Georgia, USA,September 23-28.

[9] C. Adjih, Th. Clausen, Ph. Jacquet, A. Laouiti, P. Muhlethaler,& D. Raffo, “Securing the OLSR protocol,” (2003) In Proceedings of Med-Hoc-Net , Mahdia, Tunisia, June 25.

[10] D. Dhillon, T.S. Randhawa, M. Wang & L. Lamont,“Implementing a Fully Distributed Certificate Authority in an

OLSR MANET,” (2004) IEEE WCNC2004, Atlanta, GeorgiaUSA, March 21-25.

[11] D. Raffo, C. Adjih, T. Clausen, & P. Muhlethaler, “An

Advanced Signature System for OLSR,” (2004) in Proceedings of the ACM Workshop on Security of Ad Hoc andSensor Networks (SASN 04), Washington, DC, USA, October25.

[12] C. Adjih, D. Raffo, & P. Muhlethaler, “Attacks AgainstOLSR: Distributed Key Management for Security,” (2005)

2nd OLSR Interop/ Workshop, Palaiseau, France, July 28-29.

[13] Peter Glaus, “Locating a Black Hole without the Knowledgeof Incoming Link”, (2009) Algorithmic Aspects of WirelessSensor Networks, Lecture Notes in Computer Science, vol..5304. Springer-Verlag Berlin Heidelberg, p. 128,

http://www.springerlink.com/index/h8424573040077v5.pdf

[14] S. Marti, T. J. Giuli, K. Lai, & M. Baker, "Mitigating RoutingMisbehavior in Mobile Ad hoc Network," (Aug. 2000) in 6 th

International Conference on Mobile Computing and Networking, MOBICOM'00, p255-265.

[15] Nidal Nasser, & Yunfeng chen, "Enhanced IntrusionDetection System for Discovering Malicious Node in Mobile

Ad hoc Networks," (June 2007) Communications, 2007. ICC'07. IEEE International Conference on,pp. 1154-1159.

[16] John S. Baras, Svetlana Radosavac, George

Theodorakopoulos, Dan Sterne, Peter Budulas & RichardGopaul, “Intrusion Detection System Resiliency to ByzantineAttacks: The Case Study of Wormholes in OLSR,” (Oct. 2007)

Military Communications Conference, 2007. MILCOM 2007.

IEEE , pp. 1-7, Orlando, FL, USA.[17] Shanshan Zheng, Tao Jiang, J.S. Baras, A. Sonalker, D. Sterne,

R. Gopaul, & R. Hardy, "Intrusion detection of in-bandwormholes in MANETs using advanced statistical methods," ( Nov. 2008) Military Communications Conference, 2008.

MILCOM 2008. IEEE , pp. 1-7, San Diego, CA.

[18] M.T. Refaei, Yanxia Rong, L. A. DaSilva, & Hyeong-Ah Choi,"Detecting Node Misbehavior in Ad hoc Networks," (June2007) Communications, 2007. ICC '07. IEEE InternationalConference on, pp. 3425-3430, Glasgow.

[19] J.P. Vilela & J. Barros, "A Feed Reputation Mechanism to

Secure the Optimized Link State Routing Protocol,"(September 2007) The 3rd IEEE/CreateNet InternationalConference on Security and Privacy in Communication Networks, Nice, France.

[20] J.P. Vilela & J. Barros, "A Cooperative Security Scheme for

Optimized Link State Routing in Mobile Ad-hoc Networks,"(June 2006) Proc of the 15th IST Mobile and WirelessCommunications Summit , Mykonos, Greece.

[21] Asmaa Adnane , Rafael T. de Sousa, Jr., Christophe Bidan,Ludovic Mé, "Autonomic trust reasoning enables

misbehavior detection in OLSR," (2008) Proceedings of the ACM symposium on Applied computing , pp. 2006-2013.

[22] B. Kannhavong, H. Nakayama, N. Kato, Y. Nemoto, & A.Jamalipour, "A Collusion Attack Against OLSR-based Mobile

Ad Hoc Networks," (2006) in Proceeding of IEEE

GLOBECOM .[23] The Vint Project, "The Network Simulator –ns-2,"

http://www.isi.edu/nsnam/ns/index.html[24] F. J. Ro, "UM-OLSR Documentation," University of Murcia,

March 2005, http://masimum.dif.um.es/um-olsr/html

Documents

An IDS for Detecting Misbehavior Nodes in Optimized Link State Routing Protocol